Today is World Password Day but a range of alternative authentication methods is challenging passwords so that within the foreseeable future the day of awareness could become obsolete.
Biometrics and cell phones are important to this replacement, with ongoing trials of how effective they might be. There is a flurry of activity in these areas to do away with passwords:
- The Samsung Galaxy S8 phone has an upgraded retinal scanner that can be used to unlock the phone, but that could be used as a second factor in authenticating to any number of online services. The phones also feature the more common fingerprint scanner.
- Rumors have LG adding facial recognition software to their LG G6 phones that could be used in a similar manner.
- Also, Alabama’s revenue department is trialing a face-recognition app from MorphoTrust that uses iPhones to scan taxpayers’ drivers licenses and to scan their face. The backend verifies the identity of the taxpayer by comparing the license image and uses that to authenticate the person filing an electronic return.
- Phones are also used to receive texts of one-time passwords, which does involve a password, but not one the user generates or changes at some point or has to remember for more than a second or two.
- Microsoft’s Hello enables Windows 10 users to login via facial recognition that employs an infrared camera and by scanning fingerprints. A patent application from the company indicates it’s looking at pairing a touchscreen stylus with gestures made on the screen to authenticate.
Microsoft is putting a new spin on this with its Microsoft Authenticator service. Users try to login to their Microsoft accounts and receive texts on their phones asking whether it’s really them trying to access the account. They tap the “approve” button and are authenticated without a password. It’s only good for logging into Microsoft accounts.
= The government in the U.K. is also interested in doing away with passwords altogether and come up with something equally or more secure. The National Cyber Security Centre is looking for proposals to replace passwords and will fund researching them at $32,160 per proposal.
= Analysis of keystroke patterns can be used for to verify that a student taking an exam doesn’t have someone else take it for them.
= On the drawing board is a scheme to use brainwaves as authentication to unlock computers.
Passwords are falling out of favor mainly because they are too difficult for each end user to manage securely and reliably, says Andrew Howard, CTO of Kudelski Security. Strong passwords are difficult to create, hard to remember and need to be changed often. And they shouldn’t be used on more than one account, he says.
But a recent survey by SailPOint says 65% of respondents admit they use the same password multiple times and 44% would sell their passwords for less than $1,000. One in five shares their passwords with co-workers.
Forrester says in a report that passwords are a burden to IT departments. “Using password-based, legacy authentication methods is not only insecure and damaging to the employee experience, but it also places a heavy administrative burden,” according the firm’s report, “The Top Security Technology Trends To Watch, 2017”. “Forrester sees authentication solutions using navigational clickstream analytics, device location and sensor data, and mouse and touchscreen movement attributes to build normal behavior baselines for users and devices, which the solutions can use to detect anomalies.’
As for improving password security, passwordday.org has four recommendations: create strong passwords to begin with, create different passwords for each account, use a password manager and use multifactor authentication.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.